{
	"id": "425a3199-7fb4-4cc8-aae0-36cf0346d77d",
	"created_at": "2026-04-06T01:30:26.263486Z",
	"updated_at": "2026-04-10T13:12:43.928897Z",
	"deleted_at": null,
	"sha1_hash": "dba06366bee21a001a5713237051051e42998b2b",
	"title": "Dancing through a multi-language phishing campaign in Europe)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48391,
	"plain_text": "Dancing through a multi-language phishing campaign in Europe)\r\nPublished: 2025-06-16 · Archived: 2026-04-06 00:26:28 UTC\r\nAuthors: Marine Pichon, Alexis Bonnefoi \r\nSpecial thanks to Niels Van Dorpe and Simon Vernin.  \r\nThis report is the result of a fruitful collaboration between teams inside Orange Cyberdefense including the\r\nIncident Response team, World Watch, the Reverse Engineering Team and Managed Threat Detection. \r\nTL; DR\r\nOrange Cyberdefense CERT investigated an ongoing malicious campaign actively impacting European\r\norganizations. \r\nLikely emanating from Brazilian Portuguese-speaking threat actors, this campaign distributes a version of\r\nthe Remote Access Trojan (RAT) Sorillus. \r\nSorillus RAT is a malware-as-a-service sold between 2019 and 2025. Several cracked versions are also\r\navailable in open source. The malware has also been documented by other researchers under the name\r\nSambaSpy. \r\nThe malicious cluster makes use of numerous tunneling services, including ngrok[.]app, ngrok[.]dev,\r\nngrok[.]pro, localto[.]net, ply[.]gg. \r\nIoCs can be found on our dedicated GitHub page here. \r\nNote: The analysis cut-off date for this report was June 03, 2025. \r\nIntroduction\r\nIn March 2025, our Managed Threat Detection teams in Belgium identified a malicious infection chain leading to\r\nthe delivery of a Remote Access Trojan (RAT) impacting one of our clients. Upon further analysis from Orange\r\nCyberdefense CERT, a larger campaign impacting European organizations located in Spain, Portugal, Italy,\r\nFrance, Belgium and the Netherlands was discovered.  \r\nThe threat actors behind this infection chain cluster relies on invoice-themed phishing for initial access and\r\ndelivers a .jar file which corresponds to a version of Sorillus RAT.  \r\nThe campaign was also covered in early May by Fortinet, which dubbed the malware “Ratty RAT”. Sorillus has\r\nalso been previously detailed by Abnormal AI and eSentire. \r\nSorillus RAT\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-campaign-in-europe\r\nPage 1 of 3\n\nSorillus is a Java-based multifunctional remote access trojan (RAT) that surfaced in 2019. The malware was\r\ndeveloped by a user known as \"Tapt”. It was previously sold online on the now-defunct website\r\n(hxxps://sorillus[.]com) for 59.99€ (for lifetime access) or 19.99€ (as a discounted price). The malware was also\r\nextensively advertised on the former Nulled Forum, by a user named @theMougas. \r\nHistorical infection chains\r\nBetween 2019 and 2025, Sorillus has been observed in several financially- motivated campaigns where it was\r\nprimarily distributed through phishing emails. \r\nBetween February 2022 and March 2022, Abnormal researchers observed threat actors sending tax-themed emails\r\nwritten in English, followed up with a second email dropping a malicious file through a mega[.]nz link. The\r\nmega[.]nz file typically masqueraded as a PDF file, but actually consisted of a ZIP archive containing a JAR file\r\nactually delivering a Sorillus sample.  \r\nIn 2023, eSentire researchers observed Sorillus being distributed as a ZIP attachment in a tax-themed email. The\r\nZIP contained a HTML file smuggling a JAR file with the RAT binary. This campaign leveraged Google’s\r\nFirebase Hosting service. \r\nIn September 2024, Kaspersky researchers documented a malicious phishing campaign exclusively targeting Italy,\r\nthat closely mirrored activity observed by our CyberSOC this year. This cluster also led to a malicious JAR file\r\nhosted on MediaFire, which is either a dropper or a downloader. Kaspersky researchers nevertheless did not\r\nrecognize this threat as belonging to the Sorillus family and therefore tracked it as SambaSpy. They also attribute\r\nthe campaign to Brazilian threat actors. \r\nIntermediary dropper\r\nDuring our investigation, we also retrieved Sorillus distribution chains leveraging an intermediary dropper with\r\nlogging messages written in Brazilian Portuguese. This overlaps with what Kaspersky researchers noted when\r\ndigging into SambaSpy (infection chain n°2). The dropper observed by Kaspersky checks out if it runs in a VM\r\nenvironment as well as the language of the machine, before executing the malware embedded in the resources of\r\nthe JAR file.  \r\nYet, the dropper we found is slightly different: it does not perform these checks and instead loads two distinct\r\nstages: the Sorillus RAT and a XOR-encrypted shellcode which drops an AsyncRAT payload. The shellcode is\r\nlikely generated using the open-source tool Donut and uses this technique for code injection. \r\nConclusion\r\nOur investigation documents a threat campaign leveraging the Sorillus Remote Access Trojan to compromise\r\nEuropean organizations through invoice-themed phishing lures. The operation showcases a strategic blend of\r\nlegitimate services—such as OneDrive, MediaFire, and tunneling platforms like Ngrok and LocaltoNet—to evade\r\ndetection.  \r\nThe repeated use of Brazilian Portuguese in payloads supports a likely attribution to Brazilian Portuguese-speaking threat actors. \r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-campaign-in-europe\r\nPage 2 of 3\n\nDespite the takedown of the malware’s commercial infrastructure, the wide availability of cracked Sorillus\r\nversions ensures the RAT remains an accessible and attractive tool for low- to mid-sophistication actors.  \r\nIoCs can be found on our dedicated GitHub page here. \r\nRecommendations\r\nMonitor or block Ngrok, LocaltoNet or playit[.]gg tunneling domains, respectively ngrok[.]app,\r\nngrok[.]dev, ngrok[.]pro, localto[.]net, ply[.]gg, if not used legitimately for proxying traffic. As a reminder,\r\nmany other tunneling services exist.  \r\nMonitor or block MediaFire downloads if not legitimately used. \r\nMonitor or block “1drv.ms” domain (personal OneDrive links) if not legitimately used. \r\nThe cybersecurity incident response team (CSIRT) in Orange Cyberdefense provides emergency consulting,\r\nincident management, and technical advice to help customers handle a security incident from initial detection to\r\nclosure and full recovery. If you suspect being attacked, don’t hesitate to call our hotline. \r\nOrange Cyberdefense’s Datalake platform provides access to Indicators of Compromise (IoCs) related to this\r\nthreat, which are automatically fed into our Managed Threat Detection services. This enables proactive hunting for\r\nIoCs if you subscribe to our Managed Threat Detection service that includes Threat Hunting. If you would like us\r\nto prioritize addressing these IoCs in your next hunt, please make a request through your MTD customer portal or\r\ncontact your representative. \r\nOrange Cyberdefense’s Managed Threat Intelligence [protect] service offers the ability to automatically feed\r\nnetwork-related IoCs into your security solutions. To learn more about this service and to find out which firewall,\r\nproxy, and other vendor solutions are supported, please get in touch with your Orange Cyberdefense Trusted\r\nSolutions representative. \r\nSource: https://www.orangecyberdefense.com/global/blog/cert-news/from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-ca\r\nmpaign-in-europe\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-campaign-in-europe\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.orangecyberdefense.com/global/blog/cert-news/from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-campaign-in-europe"
	],
	"report_names": [
		"from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-campaign-in-europe"
	],
	"threat_actors": [],
	"ts_created_at": 1775439026,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dba06366bee21a001a5713237051051e42998b2b.pdf",
		"text": "https://archive.orkl.eu/dba06366bee21a001a5713237051051e42998b2b.txt",
		"img": "https://archive.orkl.eu/dba06366bee21a001a5713237051051e42998b2b.jpg"
	}
}